This is sort of an English version of a website related to my Czech book describing Windows kernel

New Certificate!

Finally, it seems I have found a certificate authority that suits my needs related to kernel mode code signing certificates. I am talking about the Certum CA from Poland. There are three main advantages: code signing certificates may be acquired by individuals, their price is quite good, the identity verification process is fast and not so annoying as in case of some other authorities I have an experience with.

I have discovered this authority by accident. When installing a 3rd-party application, I noticed the certificate subject string displayed in the UAC prompt. It stated something like “, Open Source Developer”. I did not know about any authority issuing special code signing certificates to people involved in the open source development, so I got interested immediately, and soon found certificate’s issuer – Certum CA. And after some additional research, I discovered that their certificates may be also used for kernel mode code signing (that cannot be deduced from the certificate directly).

The CA actually has an extra certificate type for open source developers which should differ from the standard one only by two things: its cost is reduced roughly to 30%, and you need to show your open source projects in order to purchase it. It seems that the CA was giving these certificates for free, in the past. However, I think that 30 EUR is still a good price for a code signing certificate. Even the cost of the standard one is not bad (100 EUR), especially compared to Symantec ($500).

The other good thing was that CA’s website also covered the identity verification process which is not a typical approach, according to my experience with COMODO and Symantec/VeriSign (but maybe, I was just unable to find the information on corresponding places). The identity verification process for individuals is really simple (for EU citizens at least): you show them your ID and an utility bill, and that’s it. They even processed my documents during a weekend. No worries about notarized letters (Symantec/VersiSing), or troubles with the DUNS database (Comodo) although I must admit that kf I lived in the U.S., I would probably pick Comodo and the verificaton would go smoothly. Unfortunately, modifying the DUNS database records for a non-American citizen proved to be quite a challenge and I gave it up.

The Certum CA permits generation and storage of private keys only on smart cards. Fortunately, you may purchase necessary equipment from them – USB smardcard reader, the card and a SD card with required software, all in one device. Well, it increases the total cost quite a bit, but I expect the device will serve me also for certificate renewals. I am just hoping that the device won’t get broken since I did not managed to backup the private keys… But security is security.

When speaking about things that were not so perfect, I was quite surprised that the identity verification process started after I had paid the order (and had actually received the smard card reader device). So, But the verification was not a problem, so I did not need to worry about refunding. Also, when purchasing the certificate, I sometimes reached places not present in the English version of the website. But this is just a minor glitch since Czech and Polish are quite similar and there is always the Google Translator website.

To sum things up, I have finally succeeded in obtaining a new KMCS certificate, so you may look forward to new versions of my software. I plan to sign a new release of VrtuleTree and, for the first time, IRPMon which should be released really soon. The Certum CA seems to be the right choice for me due to their pricing and transparent idnetity verification process. Although there are some minor glitches, I am definitely planning to purchase a new certificate there when my current (and currently new) one expires.